[00:00.640 --> 00:06.420]  Hi, I'm Bryson. I'm going to be joined by Nina, who's going to help me transcend ICS and med,
[00:06.420 --> 00:12.960]  which is our medics med ICS talk. In fact, Nina, you deserve named credit for helping me out on
[00:12.960 --> 00:18.960]  this perilous task. Thank you. I also wanted to be noted that I got informed of this like,
[00:18.960 --> 00:24.720]  what, 18 hours ago that I would be on this panel discussion fireside chat with you.
[00:24.720 --> 00:31.840]  Was it even 18 hours ago? No, I've been awake for way too long. So does this mean that I
[00:31.840 --> 00:41.020]  am part of the unicorn tribe now? You are now part of the herd. Unicorns are herds. They get herds.
[00:41.640 --> 00:45.160]  Yes. So hear what we have to say. All right. We're going to stop at the bad jokes.
[00:45.180 --> 00:53.020]  Welcome to my med ICS talk with now joined by the illustrious Nina. All right. So who am I
[00:53.020 --> 00:58.060]  besides wearing the unicorn stuff? I founded Scythe and Grimm. I'm the co-founder of my own
[00:58.060 --> 01:05.380]  village, the ICS village. I feel like there's a pattern here. So also check us out at DEF CON 2
[01:05.380 --> 01:10.100]  to get even more information about ICS. And of course, all of our talks will be published as
[01:10.100 --> 01:15.900]  well for more detail. All right. Let's get started. All right. So outline. We're going
[01:15.900 --> 01:20.780]  to be talking through all things ICS. Why is it relevant to hospitals? What are some of the
[01:20.780 --> 01:26.700]  pieces around implementation? How is ICS different than traditional information technology?
[01:27.020 --> 01:32.460]  And then specific issues and threats that are organic specifically to industrial control
[01:32.460 --> 01:38.780]  systems. A quick little note that I got here from yesterday is IBM with Ponemon published their cost
[01:38.780 --> 01:46.500]  of a data breach report. Comparing the breach lifecycle, so when a breach happens to when it is
[01:46.500 --> 01:54.920]  found and expunged, healthcare is 96 days slower on average compared to the leader of finance. So
[01:54.920 --> 02:01.280]  we already have seen an industry that, yes, you were like building up for it. First interruption,
[02:01.280 --> 02:08.060]  first question. So then what is the time frame of a financial industry breach lifecycle? And
[02:08.560 --> 02:13.340]  then how does that how does that 96 days get added to that? Not how, but like what's the
[02:13.340 --> 02:19.020]  normal time frame for one? Sure, I'm trying to remember what that number was. I want to
[02:19.020 --> 02:28.580]  say it was either 208 or 280 days. So 200 and some days is the fastest for an industry on average to
[02:28.580 --> 02:35.280]  find a breach and get rid of it. And healthcare is 96 days slower on average for that. So that
[02:35.280 --> 02:42.380]  is over three months longer to eradicate a breach from their systems. You said 200 days?
[02:42.380 --> 02:48.200]  That is the fastest, which is finance. 200 plus 96 is approximately a year. Yes. You said three
[02:48.200 --> 02:55.720]  months. No, so 96 days is three months. Got it, got it. My math is no good. Okay, yes.
[02:56.860 --> 02:59.520]  Do you want to co-found the math village? Can we do that next?
[03:00.920 --> 03:05.720]  Making stats literate for everybody. You know what, that would be great. I would love that part.
[03:05.720 --> 03:08.180]  So Nina, you have some notes on why this is important.
[03:10.020 --> 03:15.440]  I love that you added this in here. I'm going to let you talk through it so I can just
[03:15.980 --> 03:19.860]  bombard you with questions. These were literally your notes. I just didn't take them out.
[03:19.860 --> 03:26.300]  I know, I get that. Okay, so then I guess I'm speaking to it. So I think as we all know at the
[03:26.300 --> 03:32.540]  biohacking village and folks listening, so healthcare is a 365 day entity. Downtime for
[03:32.540 --> 03:40.720]  any medical devices or AMRs would mean dead time for patients. What people don't really consider
[03:40.720 --> 03:48.420]  in the medical ecosystem is the electricity, the water, gas. How are these things affected and
[03:48.420 --> 03:53.420]  does it, can it hurt patient care? If you go to the dentist, for instance, because I feel like
[03:53.420 --> 03:57.260]  that's something that everybody can more or less relate to, that water flow that they have in your
[03:57.260 --> 04:01.340]  mouth and there's a suction on the other side, that gets treated and then it gets sent out into
[04:01.340 --> 04:09.420]  the world. Electricity, if a surgical suite was underway and electricity went out, granted there
[04:09.420 --> 04:14.180]  are generators, but let's think about how often the generators are checked and made sure that they
[04:14.180 --> 04:20.420]  are still active and can produce any electricity or whatever the needs of the hospital is. Negative
[04:20.420 --> 04:26.180]  airflow and filtration, super important. We're in COVID right now. We know that it's an airborne disease
[04:26.180 --> 04:32.800]  and just in generalities, that negative airflow that goes from the hospital removes and reduces
[04:33.380 --> 04:37.240]  the nosoclonal diseases. Nosoclonal diseases are the diseases that you get
[04:37.240 --> 04:44.740]  in the hospital while you're in the hospital. There are backups to backups in hospitals usually,
[04:44.740 --> 04:56.160]  but again, how often are they checked? How often are they changed? Who's checking on these? Where's
[04:56.160 --> 05:01.640]  I'm a city girl, so one of the problems that happened at NYU during Hurricane Sandy
[05:01.640 --> 05:07.200]  was that their servers and the generators were in the basement and the unfortunate truth is that
[05:07.200 --> 05:11.980]  those were then gone when the hospital itself got flooded by all the waters and they had to
[05:11.980 --> 05:16.720]  move the patients over to nearby hospitals. And just thinking about how patients are transported
[05:17.680 --> 05:22.820]  from one hospital to another, how are they producing medical notes and medical discharges
[05:22.820 --> 05:30.260]  so that that patient would get treated accurately by that next physician that took care of them?
[05:32.200 --> 05:36.920]  Healthcare is a great analog for industrial control systems because unlike traditional IT,
[05:36.920 --> 05:41.820]  when we think of the confidentiality, integrity, and availability triad,
[05:41.820 --> 05:46.440]  IT generally goes in that order and it's flipped for industrial control systems because just like
[05:46.440 --> 05:51.940]  healthcare, we need something where availability is the utmost of importance. If I lose electricity
[05:51.940 --> 05:59.460]  in the middle of an operation, that can cause patient harm. Modern society rests on critical
[05:59.460 --> 06:06.200]  infrastructure, electricity, water, finance, transportation. If those went out, we go to
[06:06.200 --> 06:12.240]  the stone age almost overnight. The longer it's out, the more damage that's done and there are
[06:12.240 --> 06:16.140]  the statistical models then of understanding what that implication is. The final piece on
[06:16.140 --> 06:20.720]  industrial control systems is there's two levels of it that's relevant for the hospital setting.
[06:20.720 --> 06:24.600]  There's of course what we're talking about here, which is the grid, the infrastructure that
[06:25.360 --> 06:30.160]  nominally is providing all of the different resources to the facility. And then there
[06:30.160 --> 06:36.300]  are industrial control systems embedded inside the facility to help do particular elements.
[06:36.460 --> 06:42.400]  Nina talked about air filtration and negative airflow. We will have a slide later on that we
[06:42.400 --> 06:46.440]  talked about in the podcast a couple of months ago where we're going to go into detail on some
[06:46.440 --> 06:52.520]  of those systems and how they interconnect. I want to add something to my notes. The wi-fi,
[06:52.520 --> 06:57.900]  right? Nobody's... we haven't thought about how the internet connectivity, if that went out, would
[06:57.900 --> 07:03.260]  affect all of this. So again, just if you can't print out a patient record or if you're taking
[07:03.260 --> 07:07.460]  blood and you can't specifically say that this is this patient's because you have to enter
[07:07.460 --> 07:12.100]  it into the EMR and then a thing prints out, a label prints out, there's a lot of
[07:12.920 --> 07:17.900]  flow that continuously in the hospital needs to be contemplated. And I actually don't think
[07:17.900 --> 07:22.780]  it has been. So this is... we had this conversation on the podcast, it hasn't been published yet,
[07:22.780 --> 07:28.200]  but this is why Bo and I decided that you would be perfect to give this talk.
[07:29.500 --> 07:35.280]  Well, thank you for having me on and thank you for helping. So what is ICS? Industrial Control
[07:35.280 --> 07:41.040]  Systems, sometimes also known as SCADA or Operational Technology. There are wonky
[07:41.040 --> 07:46.820]  differences between those three, but fundamentally it's a catch-all for a couple of things.
[07:46.820 --> 07:50.580]  The biggest thing that separates ICS from what we think of a traditional computer is
[07:50.580 --> 07:56.860]  industrial control systems cause physical effects in the real world. We're not just talking data
[07:56.860 --> 08:01.480]  that stays on a hard drive. We're talking about something that actually changes something in the
[08:01.480 --> 08:07.680]  world. If it's a water pump, right? Water pressure, water flow is going to change. If it's airflow,
[08:07.680 --> 08:14.160]  airflow is going to shift and change. Our environment is actually affected. The reason I
[08:14.160 --> 08:18.980]  chose this picture is the best joke that I have that I think clearly illustrates both what it is
[08:18.980 --> 08:24.960]  as well as the problems are any computer that's at least 20 years old is an industrial control system.
[08:24.960 --> 08:31.500]  They were designed to be available and to have a long life cycle. They were... they're expensive.
[08:31.500 --> 08:37.160]  Most of them are expensive. Heavy, heavy capital costs where I want to put this, I want to forget
[08:37.160 --> 08:41.580]  it and I don't have to do anything. The introduction of cybersecurity is still a relatively
[08:41.580 --> 08:46.620]  new phenomenon as much as cybersecurity is a relatively new phenomenon. But particularly in
[08:46.620 --> 08:51.360]  industrial control systems, it's a new thing where previously this would be the kind of equipment
[08:51.360 --> 08:56.380]  that was maintained by a safety engineer who was mostly looking at what do I need to maintain the
[08:56.380 --> 09:01.400]  equipment so that it works, not how do I protect it because somebody might try to manipulate or
[09:01.400 --> 09:07.560]  attack it. So I just want to speak to that on the healthcare side. So there's so many legacy
[09:07.560 --> 09:12.240]  systems and so many legacy devices because same concept, everybody was imagining all these things
[09:12.240 --> 09:17.100]  to be long lasting. And when you're in the hospital and you have all of these devices,
[09:17.100 --> 09:23.320]  there's not a lot of funding that... there's not a lot of payment that goes into the hospital.
[09:23.320 --> 09:28.060]  They're kind of just trying to get to zero and balance themselves out. So having all of these
[09:28.060 --> 09:34.720]  legacy systems and things like this does create a problem when it comes to us putting security
[09:34.720 --> 09:40.820]  around it because we literally have to build these things in. We have to build... what's the thing
[09:40.820 --> 09:50.040]  around the castle? Moats. Perimeter defense. Yes, thank you. You can cut all of my English out.
[09:50.040 --> 09:53.960]  Right, so we have to build perimeters of defense around all of these legacy devices
[09:54.520 --> 10:00.420]  so that they work and we can continue making sure that the patient and the systems work.
[10:00.840 --> 10:07.420]  Yeah, so just being specific since perimeter typically means like the outer shell,
[10:07.420 --> 10:13.320]  and a lot of folks think of that as controlling the ingress and egress to a network. Since a lot
[10:13.320 --> 10:18.880]  of these kinds of systems can't be directly patched, which is a slide that's coming up,
[10:18.880 --> 10:24.740]  typically there is a similar kind of inside, usually we wouldn't use perimeter, but
[10:25.460 --> 10:31.180]  a way to kind of blanket around, control around the traffic to a device. So this is an example
[10:31.180 --> 10:35.040]  where like software-defined networking has become very popular in ICS environments because
[10:35.040 --> 10:41.700]  if I can't patch or improve the configuration of the device itself to make it not vulnerable,
[10:41.700 --> 10:46.460]  at least I can control the traffic around that and adapt it to those kinds of threats.
[10:48.160 --> 10:56.840]  So ICS versus IT, workers versus nerds. We talked about the performance of where I need
[10:56.840 --> 11:02.840]  high availability versus in traditional IT, availability is an issue, but it is not the
[11:02.840 --> 11:07.140]  primary concern. And then of course, when we're talking about risks here, when we think of IT,
[11:07.140 --> 11:12.440]  we think about patient data, we think about privacy. On the operational technology side,
[11:12.440 --> 11:23.800]  we're talking about injury or death. Okay, so some layers of ICS. At the very bottom layer is
[11:23.800 --> 11:30.080]  the direct control. Like I talked about, ICS is where I am physically affecting the environment.
[11:30.080 --> 11:35.140]  And so the most common element for that would be like a programmable logic controller.
[11:35.500 --> 11:39.320]  Everybody at this point knows what a PLC is, even if you've never seen one,
[11:39.320 --> 11:44.680]  because that's what Stuxnet was. Stuxnet affected the PLCs where they were changing
[11:44.680 --> 11:49.180]  the speed of the centrifuges that were doing the uranium enrichment. Again,
[11:49.660 --> 11:54.760]  a device controlling physical effect. And what we would see in a hospital environment would be
[11:55.180 --> 12:00.840]  a pump, something that is cycling water or air. And then above that is the supervisory level. So
[12:00.840 --> 12:07.220]  this is critical to understand these differences because a PLC is not a smart device. It doesn't
[12:07.220 --> 12:12.900]  necessarily know what's the correct operational parameters to function in. When we think about
[12:12.900 --> 12:18.100]  hacking a PLC, very rarely am I going to try to build some special code that's going to go
[12:18.100 --> 12:23.800]  onto that PLC to rewrite it. That does happen. More likely what we see a lot of is issuing
[12:23.800 --> 12:30.400]  commands to the PLC because one, PLCs generally don't accept authentication. Two, the traffic is
[12:30.400 --> 12:36.460]  unencrypted. And three, the PLC itself doesn't know what's good or what's bad. It just does
[12:36.460 --> 12:40.080]  what the supervisor above tells it to do. And then it just makes that happen in the world.
[12:40.080 --> 12:44.600]  And it doesn't always have that feedback loop of understanding if I've gone out of tolerance.
[12:44.700 --> 12:49.220]  The supervisory level is where you would have like a historian or acquisition. And this is
[12:49.220 --> 12:53.540]  literally what it sounds like, right? Like I am monitoring multiple devices that are able to do
[12:53.540 --> 12:57.300]  things and I'm telling them what to do and I'm reading what's happening and then I'm adjusting
[12:57.300 --> 13:04.600]  that. So examples of where we can see that in a hospital are a doctor's workstation or a PACS,
[13:04.600 --> 13:10.600]  which I forget what PACS stands for. It's a photo acquisition computer system, I think.
[13:10.600 --> 13:11.260]  Archiving.
[13:11.260 --> 13:12.120]  What's that?
[13:12.120 --> 13:13.080]  Archiving.
[13:13.080 --> 13:20.280]  Archiving, yes. So patient archiving. So keeping track of all of the different images that are
[13:20.280 --> 13:24.640]  coming from x-rays, MRIs, and all those things and time them in.
[13:24.860 --> 13:33.360]  So I'm going to challenge you on this question on this slide a little bit. So as healthcare
[13:34.120 --> 13:39.040]  hackers, as healthcare security researchers, we tend to talk a lot about the medical devices.
[13:39.440 --> 13:44.960]  We tend to... that's a lot of where the focus is because that's a lot of where the laws revolve
[13:44.960 --> 13:57.520]  around. What is not discussed a lot is the 911 system. So where would that lie in the ICS layers?
[13:57.540 --> 14:01.660]  Right. So I think you're talking more about the fact that we see a lot of embedded device
[14:01.660 --> 14:06.210]  progress, particularly with the work that's been done with Bow and Company at FDA,
[14:07.720 --> 14:12.680]  with what a lot of the I am the Calvary has been advocating, what the biohacking village has been
[14:12.680 --> 14:17.740]  advocating. And then there's this broader question that's even beyond hospitals, which is, okay,
[14:17.740 --> 14:20.920]  what about the rest of the stuff that's a part of that infrastructure, right?
[14:21.480 --> 14:30.420]  And I think the challenge and the solutions are the same. We have to design for security.
[14:30.420 --> 14:36.340]  There is no, I have built this and it is secure. We have to have that actually happen. And it's
[14:36.340 --> 14:44.260]  harder because with traditional ICS, while there has been a lot of attention that has started to
[14:44.260 --> 14:51.780]  be drawn to what is, like I said, a new market. I mean, ICS security, I would say is about six to
[14:51.780 --> 14:56.940]  eight years old. And a lot of the startups are all coming up with different solutions around
[14:56.940 --> 15:03.880]  those things in particular. But this is not something that the average, unless you're a
[15:03.880 --> 15:09.900]  manufacturing plant, unless you are a part of critical infrastructure delivery, folks aren't
[15:09.900 --> 15:17.160]  paying attention or doing anything about this. I'm going to bring you back in then. So why
[15:17.160 --> 15:21.280]  is EMS not considered critical infrastructure?
[15:24.060 --> 15:26.460]  That's a bigger question about my pay grade.
[15:27.560 --> 15:31.400]  I mean, maybe we should discuss it because I bring this up because I think we've had this
[15:31.400 --> 15:34.900]  conversation before and I think a lot of people know, but my father was a paramedic captain for
[15:34.900 --> 15:41.820]  the fire department of New York. And I've seen how some of the systems work and completely agree.
[15:42.380 --> 15:49.900]  It's, it's, there's a lot of things going on. And why, why wouldn't this,
[15:49.900 --> 15:59.160]  why wouldn't 911 systems, the medics, police, the fire, not be considered critical infrastructure
[15:59.160 --> 16:08.400]  enough that they be added to that healthcare, like workflow, that it gets secured more,
[16:08.400 --> 16:12.480]  updated more, thought about more, workload more?
[16:13.320 --> 16:19.420]  So that's, I think that's a, that's a policy and funding question of the SSAs and how,
[16:19.420 --> 16:22.660]  because I think there's 16 of them now that define...
[16:22.660 --> 16:24.740]  Just so that we, we don't have acronyms.
[16:24.740 --> 16:30.720]  Sure. So I don't remember what SSA stands for, but SSA is the specific authorities that are tied,
[16:30.720 --> 16:38.020]  putting a particular critical infrastructure sector tied to a specific agency. So for example,
[16:38.020 --> 16:44.800]  electricity, electricity comes under Department of Energy. Transportation, I believe
[16:46.480 --> 16:52.780]  TSA has that. I'm not sure. I don't have them all memorized. There's 16 of them.
[16:54.780 --> 16:59.380]  So I, that's what I was trying to go look up while you were talking, was looking up what
[16:59.380 --> 17:06.100]  the SSAs were and to see what tied into medical. Cause I don't, I, I don't know if there is some
[17:06.100 --> 17:10.840]  level of that that's already represented, but that's, that's, so that's like the,
[17:10.840 --> 17:15.060]  how the United States government breaks and manages it from a funding and accountability
[17:15.060 --> 17:19.980]  perspective. And then at this lower level, of course, is the actual technical execution,
[17:19.980 --> 17:23.080]  which is the industrial control system itself.
[17:25.740 --> 17:28.880]  So I'm afraid I don't know enough to thoroughly answer your question.
[17:29.480 --> 17:31.860]  You brought me here to challenge you?
[17:33.300 --> 17:36.340]  Fireside chat, challenge accepted.
[17:38.060 --> 17:40.660]  You're just getting even for me leaving those notes in, huh?
[17:41.640 --> 17:44.560]  No, no, kind of.
[17:45.700 --> 17:51.040]  So building automation systems. So this is everything that you can think of, right? This
[17:51.040 --> 17:56.320]  is HVAC, fire detection, security and access control, all of those elements that are pretty
[17:56.320 --> 18:00.880]  much in every building to do it. And we talked about that difference, right? We have the
[18:00.880 --> 18:05.900]  higher level infrastructure of water, electricity, that's being brought to the building, and
[18:05.900 --> 18:11.620]  then the elements inside of it that are doing it. Building automation systems, we're looking
[18:11.620 --> 18:17.360]  at operations and backups. We're looking at efficiencies and savings. And so in the process
[18:17.360 --> 18:23.960]  of what has been traditionally very proprietary closed systems, these are now going to shifting
[18:23.960 --> 18:29.220]  to traditional ICS, like programmable logic controllers to do a lot of the things that
[18:29.220 --> 18:34.080]  used to be proprietary. But now with PLCs, I can work with those on an open ICS development
[18:34.080 --> 18:40.420]  standard to be able to get those savings and that efficiencies across my complexes.
[18:43.470 --> 18:46.310]  I'm good. I'm good. I'll raise my hand.
[18:47.550 --> 18:53.030]  So this is my very fancy explanation of how ICS and IT are two different things.
[18:53.030 --> 18:57.390]  So we've covered some of this organically through what we've been saying, but fundamentally,
[18:57.390 --> 19:03.350]  it's important to recognize that the two are very different, and they need to be treated
[19:03.350 --> 19:10.270]  very differently. As much as there is the debate in IT about patching, as we talked about, that
[19:10.270 --> 19:15.430]  might not even be an option in ICS. And Nina, as you commented about establishing the perimeter,
[19:15.430 --> 19:21.410]  the inner perimeters and moats, we have to have different solutions because we can't patch things
[19:21.410 --> 19:28.010]  to be able to protect them. In fact, ICS can be very brittle. There are a lot of systems on there
[19:28.010 --> 19:34.310]  where even if you send the wrong packet can, in fact, cause the system to crash, which is,
[19:34.310 --> 19:38.150]  of course, very dangerous when we consider about what they're doing and the high availability
[19:38.150 --> 19:44.710]  necessity of it. So they're both different from a deployment and operations perspective. And that,
[19:44.710 --> 19:49.250]  of course, ties back to they have different security considerations that you can't just
[19:49.250 --> 19:58.510]  apply IT solutions to ICS solutions to solve them. So this, your explanation and this slide
[19:58.510 --> 20:04.410]  remind me of the West. Do you remember when the East Coast went dark because somebody hit a line
[20:04.410 --> 20:13.670]  or something like that? So how does that tie into this? I understand somebody broke a
[20:13.670 --> 20:17.610]  electricity power thing. See, and that's part of the problem. I don't know how to
[20:17.610 --> 20:24.070]  articulate this well, so I feel like maybe you can translate for me. Sure. So let's break that
[20:24.070 --> 20:31.530]  down into multiple things. The first is that was not an attack. Right. That was a misconfiguration.
[20:31.530 --> 20:36.630]  That was an overload. And then there were, through various circumstances, it rippled out. But I want
[20:36.630 --> 20:42.110]  to highlight that piece, first of all, because particularly when we're talking about life
[20:42.110 --> 20:48.590]  and injury, loss of limb, when we're also talking about public trust and understanding into buying
[20:48.590 --> 20:55.150]  into our problems, fear and uncertainty and doubt is the easiest way to scare people. And then at
[20:55.150 --> 20:58.910]  some point, they start to shut down and we lose the ability to have that conversation.
[20:59.250 --> 21:06.930]  Most of the kinds of issues that we've seen are human error. They are failures of the systems,
[21:06.930 --> 21:11.030]  not that there was somebody who was coming and attacking us or doing something.
[21:11.030 --> 21:16.010]  And so the question that then follows is, well, why not? Why has critical infrastructure,
[21:16.010 --> 21:23.650]  if it has these issues, why hasn't it been attacked? And what we have seen is there are
[21:23.650 --> 21:31.210]  lots of what I call iterative intelligence operations where third party adversaries
[21:31.210 --> 21:37.450]  are coming and they are learning and they are stepping and they are trying to see what could
[21:37.450 --> 21:44.370]  happen, learn the environment and map it out. Because the second that they actually,
[21:44.370 --> 21:50.290]  imagine if that was insert adversarial country that took down the entire East Coast.
[21:51.650 --> 21:57.690]  The US response would probably be an armed response. It would not be a, we're going to
[21:57.690 --> 22:01.930]  ping you back and we're going to shut some of your web servers down. No, we're probably going to bomb
[22:01.930 --> 22:08.830]  you. And so that level of deterrence is a part of the landscape when we're talking about critical
[22:08.830 --> 22:15.730]  infrastructure and the cybersecurity component. So the other element there is that the grid,
[22:15.730 --> 22:21.630]  which I put in quotation marks is there is not one monolithic grid. The grid is actually broken
[22:21.630 --> 22:26.670]  down into numerous subsections. And even that is broken down into, I want to say there are
[22:27.430 --> 22:33.350]  about 3000 different operating entities that control parts of just the electric grid,
[22:33.350 --> 22:39.110]  all the way down to like co-ops at a tiny little community level up to some of the large regional
[22:39.110 --> 22:44.310]  providers. And so they all, that heterogeneity, all that different stuff, as much as it's
[22:44.310 --> 22:49.370]  interconnected, actually also helps provide resilience for the grid itself, because something
[22:49.370 --> 22:54.590]  happening here, it's very rare for like what you saw, where it rippled out and took multiple
[22:54.590 --> 23:05.520]  things down. It's very difficult for an attacker to do that too. Here we go. Here are the SSAs.
[23:06.440 --> 23:10.460]  Look at that. Right on time. Okay. Well, not right on time. I should have had this earlier.
[23:10.460 --> 23:15.740]  I know. I was trying to give you credit. Nope. Oh, there you go. Healthcare and public health
[23:15.740 --> 23:25.330]  is one. Yes. You're on there already. It was. Yes, we knew that. I knew that. So...
[23:25.330 --> 23:34.370]  Hey, Nina, right on time. Yes. Okay. I don't know what you were going to say about this grid.
[23:34.690 --> 23:39.350]  No, no. So this is where I wanted to, the conversation that you provoked a couple of slides
[23:39.350 --> 23:45.350]  ago, I had built a slide for it, but I was so flustered by the hard question that I forgot
[23:45.350 --> 23:50.250]  that I had a slide for it. This is what it's like having a conversation with me. I know.
[23:50.910 --> 23:58.910]  Okay. So this is a specific breakout in this case. So I always steal vendor graphics because
[23:58.910 --> 24:03.310]  vendors, of course, are always promoting their own things. This happens to be Johnson Controls,
[24:03.310 --> 24:09.310]  but basically it gives us a detailed nominal explanation of all the elements around airborne
[24:09.310 --> 24:13.670]  infection isolation rooms, which is what you were talking about, right? Particularly in a pandemic,
[24:13.670 --> 24:18.010]  this is critical. This is where we keep the air where it's supposed to be so that we don't get
[24:18.010 --> 24:24.970]  it out and infect other people while we're trying to treat them. There's approximately 12, 13
[24:26.850 --> 24:37.490]  different areas or items to be concerned about that have some technical something that needs
[24:37.490 --> 24:44.310]  to be secured in some way. And this is on top of all the other things that are in that hospital.
[24:48.150 --> 24:57.130]  What kind of... do you think the hospitals are taking these things into consideration? Because
[24:57.130 --> 25:02.310]  again, when we've had conversations with the device manufacturers and other hospitals,
[25:02.310 --> 25:06.490]  healthcare in general, they're like, yeah, they talk a lot about the medical devices.
[25:06.490 --> 25:18.070]  This isn't necessarily discussed. So the curiosity is, is this even on their agenda to think about?
[25:19.630 --> 25:26.770]  So the challenge with hospitals is that they are very much hospital or regionally focused,
[25:26.770 --> 25:32.650]  right? There is no like, here are how all hospitals do something.
[25:33.830 --> 25:39.870]  Going to the original slide where I showed the delta of their challenge with responding,
[25:39.870 --> 25:48.290]  I think that shows both a challenge of priority and capability. So things like this are
[25:49.250 --> 25:56.530]  so far, are further down the track than worrying about PHI spillage and privacy
[25:56.530 --> 26:02.330]  and simple IT operations, let alone, this is kind of more like advanced math.
[26:02.330 --> 26:09.350]  So I see a specific security issues. Like all things, it started with security through
[26:09.350 --> 26:14.710]  obscurity. Well, we have our thing and you have to get our thing exactly to be able to
[26:14.710 --> 26:20.670]  do something to it. Over time, that doesn't work anymore. And then we've talked about this
[26:20.670 --> 26:25.410]  numerous times already. What is a patch? A lot of these things weren't built to be patched
[26:25.410 --> 26:32.610]  and they were driven by a very expensive capital outlay tied to life cycle management in the 20
[26:32.610 --> 26:40.130]  to 40 year time range. We've also discussed most of them don't have authentication. Once you're in,
[26:40.130 --> 26:45.290]  I can tell you what to do. And then my joke here on what does crypto mean? Because in their case,
[26:45.290 --> 26:50.730]  they don't even know. Encrypted traffic is not something that you can do at all, particularly
[26:50.730 --> 26:55.470]  if you don't even have authentication to start with. So most of this is transmitted in whatever
[26:55.470 --> 27:00.550]  protocol it's communicating in. And there are ICS specific communication protocols,
[27:00.550 --> 27:11.550]  but they're unencrypted. So the surface area specifically, most ICS, the primary attack
[27:11.550 --> 27:17.150]  vector is through the information technology that connects them. Now, of course, the question is,
[27:17.150 --> 27:22.530]  why do they connect them? And so the joke that I always throw out here is an air gap is not an air
[27:22.530 --> 27:27.190]  gap is not an air gap. Everybody says, oh, it's air gapped. And then literally you just keep asking,
[27:27.190 --> 27:31.530]  keep asking. And then eventually you find, well, it's connected here and it's connected that way.
[27:31.530 --> 27:36.170]  And we don't call it an air gap because da, da, da. And nothing is ever completely disconnected.
[27:37.870 --> 27:42.170]  Asterix, there are always examples where there is, I'm not going to go down that, but fundamentally
[27:42.890 --> 27:49.930]  things do connect. And particularly in a residential setting, they definitely do.
[27:49.930 --> 27:55.690]  And the reason is there's always one thing that your ICS has to tell your IT no matter what.
[27:56.410 --> 28:00.370]  How do I bill you? How much did you use? Because we need the money.
[28:01.710 --> 28:07.910]  And then same sign of problem we see in consumer IoT, there's industrial internet of things,
[28:07.910 --> 28:11.830]  which are the sensors that help provide the feedback for the system to understand what's
[28:11.830 --> 28:20.130]  happening in operation. All of these are much more vulnerable and great examples for lateral
[28:20.130 --> 28:27.130]  movement. What's this on the internet? My joke here being, and so a call out to Chris Kubecka,
[28:27.130 --> 28:32.450]  who presented on hack the world and galaxy with open system intelligence. In her example,
[28:32.450 --> 28:38.470]  she showed how Boeing had a number of things that were vulnerable because a hacker can only
[28:38.470 --> 28:42.650]  hack what they can touch. And if it's internet accessible, then I'm already a good percentage
[28:42.650 --> 28:47.150]  of the way there. And it's the same kind of problem with ICS is making sure that these
[28:47.150 --> 28:53.670]  things are not internet accessible. And oftentimes, not oftentimes, but sometimes they are, and that's
[28:53.770 --> 28:59.850]  a problem. The final vector is physical proximity. Some of these things, particularly when we're
[28:59.850 --> 29:07.570]  looking at like electricity, oil, natural gas, water, they're going to be elements of that
[29:07.570 --> 29:14.010]  critical infrastructure as it extends out from production to transmission or delivery,
[29:14.010 --> 29:18.530]  there's ICS along the way that's out there in public. And maybe it's just surrounded by
[29:18.930 --> 29:23.310]  a fence. Maybe it's surrounded by a barbed wire fence. But one of the things I learned in the army
[29:23.310 --> 29:28.250]  is an obstacle is only good if you have overwatch on it. Just because there's a fence does not mean
[29:28.250 --> 29:32.150]  that somebody can't get to it. So physical proximity to these, particularly when they're
[29:32.150 --> 29:38.720]  speaking RF, is a real challenge. This is well done. Okay.
[29:40.150 --> 29:46.630]  So who is doing this? Well, organized crime, North Korea, like I said, organized crime.
[29:46.810 --> 29:52.890]  So the joke being there that North Korea is fundamentally an organized criminal nation
[29:52.890 --> 29:57.270]  state in what it's doing with its operations. And so a lot of the kinds of attacks that we've
[29:57.270 --> 30:03.230]  primarily seen on hospitals, besides the theft of PHI, PHI being worth a lot more than PII,
[30:03.230 --> 30:07.350]  because I can change my social security number, I can change my name, you can never change your
[30:07.350 --> 30:14.430]  healthcare data, which is why it goes for a multiple on the dark web. Why it's sold for
[30:14.650 --> 30:21.590]  a lot more than a traditional PII record. And then of course, we've seen a significant increase
[30:21.590 --> 30:28.270]  in ransomware. And the IBM report that I referenced earlier, with Ponemon on the cost of
[30:28.350 --> 30:34.430]  a data breach goes into detail about how much has been paid out to ransomware. And the healthcare
[30:34.430 --> 30:39.430]  sector in particular, has been particularly challenged on doing this. We addressed the
[30:39.430 --> 30:46.270]  issues of FUD earlier in the presentation, so we'll skip noting that now. And so, how could
[30:46.270 --> 30:51.070]  they do this? We talked about lateral movement through IT systems being one of the more prominent
[30:51.070 --> 30:57.370]  ways that this can go. Otherwise, we're starting to look at targeted attacks. And so, we went
[30:57.370 --> 31:02.390]  earlier to, well, why haven't we seen these kinds of attacks happen on critical infrastructure
[31:02.390 --> 31:09.350]  writ large is because of the deterrence component. So, I think mostly what we've seen is, of course,
[31:09.350 --> 31:18.590]  there's going to be the primary motivator around finance. So, the easiest way for me to do that,
[31:20.310 --> 31:26.910]  and then potentially the escalation would be a direct denial of service attack. So,
[31:26.910 --> 31:33.550]  focusing on the services that ICS is delivering specifically to a facility or complex,
[31:33.550 --> 31:42.310]  and taking those down. I'm reading your numbers. Those are exponential. Yes.
[31:42.990 --> 31:49.930]  The percentages are high, considering that this is patient care. This is me trusting you
[31:49.930 --> 32:00.190]  with my information, and what will you do with it? And then it's gone. I'm also just thinking about
[32:00.190 --> 32:05.690]  how, again, we talked about this a little bit earlier, the hospitals aim at least to zero out,
[32:05.690 --> 32:17.190]  they're putting $16.5 million out or $640,000. Where is that money coming from? And it's coming
[32:17.190 --> 32:24.290]  from their insurances, because now cybersecurity insurance in hospitals is almost mandatory
[32:24.290 --> 32:30.410]  because of the sensitivity of all of the devices and all of the information that's in there. That's
[32:30.990 --> 32:36.510]  well done you. Yes. Yeah. I mean, the key elements that I would pull out of here on the statistics
[32:36.510 --> 32:42.210]  are one, from the tax going back to 2016, not including this year, 6.6 million patients have
[32:42.210 --> 32:46.510]  been affected by this. Of course, the most significant out of that was the one or cry
[32:46.510 --> 32:52.310]  ransomware that struck the UK national health system several years ago, and that's been
[32:52.310 --> 32:56.790]  attributed to North Korea. The question of motive on that one was whether that was a test, whether
[32:56.790 --> 33:00.870]  that was on accident or whether that was on purpose. And then the final part here is the
[33:00.870 --> 33:09.150]  overall cost of these attacks is $157 million. And mostly that is capturing the overall cost from
[33:09.150 --> 33:15.710]  having to defend, having to identify, having to do the forensics cleanup, the damages that are
[33:15.710 --> 33:20.950]  actually done when there is a breach and the loss of that data, because privacy regulations,
[33:20.950 --> 33:26.850]  around PHI, have become much, much stronger. So there are some teeth to those now.
[33:26.850 --> 33:35.310]  So I tend to... what is your call to action? There's a lot of information in here. It's very
[33:35.310 --> 33:40.610]  dense. What do you want the healthcare community to do? What do you want the
[33:40.610 --> 33:45.250]  ICS community to do? What do you want the security research community to do?
[33:47.210 --> 33:54.470]  Yeah, that's tough. So, I mean, with the talks that I've been giving around embedded systems and
[33:54.470 --> 34:04.110]  IoT for several years now, I talk about the need to design for security. I think that there are
[34:04.110 --> 34:08.650]  some really low-hanging fruit here that we need to do. But that's really easy for me to wave my
[34:08.650 --> 34:12.050]  researcher wand and say, these things should happen. And it's a lot harder for manufacturers
[34:12.790 --> 34:19.730]  to have to increase the cost of their equipment to consumers, corporate consumers who are buying
[34:19.730 --> 34:25.270]  this stuff to actually pay for that. And so that's the chicken and egg there is everybody
[34:25.270 --> 34:30.910]  knows that these are needed things, but who's going to pay for it? And so typically, whenever
[34:30.910 --> 34:36.770]  there's that middle ground of, well, who's going to do this? I think the answer is government for
[34:36.770 --> 34:44.070]  funding those kinds of solutions. But we have a long way to go because it's just like you can't
[34:44.070 --> 34:48.870]  immediately change equipment when you're producing a car. It's these things have an even longer
[34:48.870 --> 34:53.830]  lifecycle. And so it's going to take a long time for us to dig out of that hole. And we really
[34:53.830 --> 34:59.910]  need the patience and the stick-to-itiveness to get there. There are a lot of solutions that are
[34:59.910 --> 35:06.130]  coming out to the market to solve some of this within, hey, if we can't fix something directly,
[35:06.130 --> 35:10.570]  at least we can, like I said, we can work around it. We can control the environment around it to
[35:10.570 --> 35:17.450]  protect it. So as those continue to push out, those will be cheaper solutions to both identity,
[35:17.450 --> 35:21.810]  anomaly detection, and when I say asset identification, anomaly detection,
[35:21.810 --> 35:27.170]  and then also providing protection in a more of a real-time way.
[35:29.950 --> 35:34.310]  That's essentially what's in the innovation hopper for those to continue to progress that way.
[35:34.310 --> 35:40.330]  So those continuing to roll out would be a good thing. So who would you specifically be looking
[35:40.330 --> 35:45.530]  for to engage in this conversation? You said government, but again, we've had this conversation
[35:45.530 --> 35:52.030]  that government is pretty broad. It's dissected into different sectors. Is there a person that
[35:52.030 --> 35:59.070]  you would say, hi person, I have this information, I would love to have a conference with you, a chat,
[35:59.070 --> 36:05.250]  so that we can do a deep dive and we understand the problem. Here it is. Let's work on that
[36:05.250 --> 36:14.290]  solution. So person, place, thing. Sure. So if you can tell me who's the SSA responsible for the
[36:14.290 --> 36:19.050]  medical and healthcare sector from that earlier slide, I would say that they're a part of this.
[36:20.490 --> 36:26.310]  What? Not even a little laugh at that one. I started looking. You were looking it up.
[36:26.310 --> 36:34.010]  So clearly they're a part of it from a sector specific element. I'm with the ICS Village.
[36:34.010 --> 36:41.330]  We're working with CISA and Department of Energy on additionally pushing out additional programs
[36:41.330 --> 36:46.350]  for hackers in the community to be able to do independent research and push some of these things.
[36:46.450 --> 36:51.170]  A lot of it, as we talked about, since IT skillset is different than ICS skillset,
[36:51.170 --> 36:54.890]  and that's the point of what the ICS Village is doing, is giving folks that are interested
[36:54.890 --> 37:04.030]  and on road so that it's not just these abstract things like, oh, PLC and historian and SCADA,
[37:04.690 --> 37:11.090]  DCS, like, what are we talking about? And making those accessible so that infosec,
[37:11.090 --> 37:17.770]  traditional infosec practitioners can get their feet wet with going this direction.
[37:17.930 --> 37:21.290]  Okay. Thank you. Thank you for having me.
